From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 72FB027510B for ; Tue, 22 Apr 2025 11:33:11 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1745321592; cv=none; b=tmeNvMVmDsSDUAvf236Ie1XOitkNqEXGuK1vbhGjRpfwMvV8Z/lB9i4XOwKjoKIpktan+73W90r2ttith51agxjsov6gdyZO05iW0BMqK0oEn+Py3ewWyGDpU3Akjl/T5sRfwoX/xU1QISHtRQDQzIui+caSpejbEp9UPoRAHvE= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1745321592; c=relaxed/simple; bh=WWMpDqigqrIVD8mouh/ymqpfUqOuRx9/akPPSuPHQ3I=; h=Message-ID:Subject:From:To:Cc:Date:In-Reply-To:References: Content-Type:MIME-Version; b=SeL11o9+8k3VcrDQ/jNeBg3pP8F1vrZi8rkM7IWgqTSu93PvOQNUnT5tFHbbW1r8NDlqw4/k8Sdv0YpobASXqYpSzbtHnUQKH32FneYdhqJCrTEfuAfelBFaaxYIWW+TLso52+MV+Qkaw2qLL5u7tPjdJ5ot+7LoeQK/hLdva+s= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=qF5RLjvy; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="qF5RLjvy" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 6CCC9C4CEE9; Tue, 22 Apr 2025 11:33:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1745321590; bh=WWMpDqigqrIVD8mouh/ymqpfUqOuRx9/akPPSuPHQ3I=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=qF5RLjvy/cOEbpN0k7LFTz7clLnCfGQnqqKm9DB43Vxmxu1yWRfjD0L8Vhe0M0/cc SDsdESgvZIPqHn95IhDu/QhvL+pI/1/e/nTpzddNYiv1hkvEqPtO9SZkSqLgIWw9rv c+nu/R/xBF3W4KHbPjnkVXrP6skNM6AIX5N+8MXRIoy8s+PNlKUo+PVCvjvr94slnj 2l3PgOG70M7Du3IGk1or0RsiHIgpjtVo+W0CguzQmeiwuJ59m1f3TUIqIPCNLuGSsG lVwSux8TFIDS8gFEwcXe2K4izmAwqcku02/XuuhAf7o9gZtwF6nBsIrCsV4Q1r9+F1 VHW2P5JgeofSQ== Message-ID: Subject: Re: [PATCH v1] fuse: use splice for reading user pages on servers that enable it From: Jeff Layton To: Bernd Schubert , Joanne Koong , miklos@szeredi.hu Cc: linux-fsdevel@vger.kernel.org, kernel-team@meta.com Date: Tue, 22 Apr 2025 07:33:09 -0400 In-Reply-To: References: <20250419000614.3795331-1-joannelkoong@gmail.com> <5332002a-e444-4f62-8217-8d124182290d@fastmail.fm> <26673a5077b148e98a3957532f0cb445aa7ed3c7.camel@kernel.org> Autocrypt: addr=jlayton@kernel.org; prefer-encrypt=mutual; keydata=mQINBE6V0TwBEADXhJg7s8wFDwBMEvn0qyhAnzFLTOCHooMZyx7XO7dAiIhDSi7G1NPxw n8jdFUQMCR/GlpozMFlSFiZXiObE7sef9rTtM68ukUyZM4pJ9l0KjQNgDJ6Fr342Htkjxu/kFV1Wv egyjnSsFt7EGoDjdKqr1TS9syJYFjagYtvWk/UfHlW09X+jOh4vYtfX7iYSx/NfqV3W1D7EDi0PqV T2h6v8i8YqsATFPwO4nuiTmL6I40ZofxVd+9wdRI4Db8yUNA4ZSP2nqLcLtFjClYRBoJvRWvsv4lm 0OX6MYPtv76hka8lW4mnRmZqqx3UtfHX/hF/zH24Gj7A6sYKYLCU3YrI2Ogiu7/ksKcl7goQjpvtV YrOOI5VGLHge0awt7bhMCTM9KAfPc+xL/ZxAMVWd3NCk5SamL2cE99UWgtvNOIYU8m6EjTLhsj8sn VluJH0/RcxEeFbnSaswVChNSGa7mXJrTR22lRL6ZPjdMgS2Km90haWPRc8Wolcz07Y2se0xpGVLEQ cDEsvv5IMmeMe1/qLZ6NaVkNuL3WOXvxaVT9USW1+/SGipO2IpKJjeDZfehlB/kpfF24+RrK+seQf CBYyUE8QJpvTZyfUHNYldXlrjO6n5MdOempLqWpfOmcGkwnyNRBR46g/jf8KnPRwXs509yAqDB6sE LZH+yWr9LQZEwARAQABtCVKZWZmIExheXRvbiA8amxheXRvbkBwb29jaGllcmVkcy5uZXQ+iQI7BB MBAgAlAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAUCTpXWPAIZAQAKCRAADmhBGVaCFc65D/4 gBLNMHopQYgG/9RIM3kgFCCQV0pLv0hcg1cjr+bPI5f1PzJoOVi9s0wBDHwp8+vtHgYhM54yt43uI 7Htij0RHFL5eFqoVT4TSfAg2qlvNemJEOY0e4daljjmZM7UtmpGs9NN0r9r50W82eb5Kw5bc/r0km R/arUS2st+ecRsCnwAOj6HiURwIgfDMHGPtSkoPpu3DDp/cjcYUg3HaOJuTjtGHFH963B+f+hyQ2B rQZBBE76ErgTDJ2Db9Ey0kw7VEZ4I2nnVUY9B5dE2pJFVO5HJBMp30fUGKvwaKqYCU2iAKxdmJXRI ONb7dSde8LqZahuunPDMZyMA5+mkQl7kpIpR6kVDIiqmxzRuPeiMP7O2FCUlS2DnJnRVrHmCljLkZ Wf7ZUA22wJpepBligemtSRSbqCyZ3B48zJ8g5B8xLEntPo/NknSJaYRvfEQqGxgk5kkNWMIMDkfQO lDSXZvoxqU9wFH/9jTv1/6p8dHeGM0BsbBLMqQaqnWiVt5mG92E1zkOW69LnoozE6Le+12DsNW7Rj iR5K+27MObjXEYIW7FIvNN/TQ6U1EOsdxwB8o//Yfc3p2QqPr5uS93SDDan5ehH59BnHpguTc27Xi QQZ9EGiieCUx6Zh2ze3X2UW9YNzE15uKwkkuEIj60NvQRmEDfweYfOfPVOueC+iFifbQgSmVmZiBM YXl0b24gPGpsYXl0b25AcmVkaGF0LmNvbT6JAjgEEwECACIFAk6V0q0CGwMGCwkIBwMCBhUIAgkKC wQWAgMBAh4BAheAAAoJEAAOaEEZVoIViKUQALpvsacTMWWOd7SlPFzIYy2/fjvKlfB/Xs4YdNcf9q LqF+lk2RBUHdR/dGwZpvw/OLmnZ8TryDo2zXVJNWEEUFNc7wQpl3i78r6UU/GUY/RQmOgPhs3epQC 3PMJj4xFx+VuVcf/MXgDDdBUHaCTT793hyBeDbQuciARDJAW24Q1RCmjcwWIV/pgrlFa4lAXsmhoa c8UPc82Ijrs6ivlTweFf16VBc4nSLX5FB3ls7S5noRhm5/Zsd4PGPgIHgCZcPgkAnU1S/A/rSqf3F LpU+CbVBDvlVAnOq9gfNF+QiTlOHdZVIe4gEYAU3CUjbleywQqV02BKxPVM0C5/oVjMVx3bri75n1 TkBYGmqAXy9usCkHIsG5CBHmphv9MHmqMZQVsxvCzfnI5IO1+7MoloeeW/lxuyd0pU88dZsV/riHw 87i2GJUJtVlMl5IGBNFpqoNUoqmvRfEMeXhy/kUX4Xc03I1coZIgmwLmCSXwx9MaCPFzV/dOOrju2 xjO+2sYyB5BNtxRqUEyXglpujFZqJxxau7E0eXoYgoY9gtFGsspzFkVNntamVXEWVVgzJJr/EWW0y +jNd54MfPRqH+eCGuqlnNLktSAVz1MvVRY1dxUltSlDZT7P2bUoMorIPu8p7ZCg9dyX1+9T6Muc5d Hxf/BBP/ir+3e8JTFQBFOiLNdFtB9KZWZmIExheXRvbiA8amxheXRvbkBzYW1iYS5vcmc+iQI4BBM BAgAiBQJOldK9AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAADmhBGVaCFWgWD/0ZRi4h N9FK2BdQs9RwNnFZUr7JidAWfCrs37XrA/56olQl3ojn0fQtrP4DbTmCuh0SfMijB24psy1GnkPep naQ6VRf7Dxg/Y8muZELSOtsv2CKt3/02J1BBitrkkqmHyni5fLLYYg6fub0T/8Kwo1qGPdu1hx2BQ RERYtQ/S5d/T0cACdlzi6w8rs5f09hU9Tu4qV1JLKmBTgUWKN969HPRkxiojLQziHVyM/weR5Reu6 FZVNuVBGqBD+sfk/c98VJHjsQhYJijcsmgMb1NohAzwrBKcSGKOWJToGEO/1RkIN8tqGnYNp2G+aR 685D0chgTl1WzPRM6mFG1+n2b2RR95DxumKVpwBwdLPoCkI24JkeDJ7lXSe3uFWISstFGt0HL8Eew P8RuGC8s5h7Ct91HMNQTbjgA+Vi1foWUVXpEintAKgoywaIDlJfTZIl6Ew8ETN/7DLy8bXYgq0Xzh aKg3CnOUuGQV5/nl4OAX/3jocT5Cz/OtAiNYj5mLPeL5z2ZszjoCAH6caqsF2oLyAnLqRgDgR+wTQ T6gMhr2IRsl+cp8gPHBwQ4uZMb+X00c/Amm9VfviT+BI7B66cnC7Zv6Gvmtu2rEjWDGWPqUgccB7h dMKnKDthkA227/82tYoFiFMb/NwtgGrn5n2vwJyKN6SEoygGrNt0SI84y6hEVbQlSmVmZiBMYXl0b 24gPGpsYXl0b25AcHJpbWFyeWRhdGEuY29tPokCOQQTAQIAIwUCU4xmKQIbAwcLCQgHAwIBBhUIAg kKCwQWAgMBAh4BAheAAAoJEAAOaEEZVoIV1H0P/j4OUTwFd7BBbpoSp695qb6HqCzWMuExsp8nZjr uymMaeZbGr3OWMNEXRI1FWNHMtcMHWLP/RaDqCJil28proO+PQ/yPhsr2QqJcW4nr91tBrv/MqItu AXLYlsgXqp4BxLP67bzRJ1Bd2x0bWXurpEXY//VBOLnODqThGEcL7jouwjmnRh9FTKZfBDpFRaEfD FOXIfAkMKBa/c9TQwRpx2DPsl3eFWVCNuNGKeGsirLqCxUg5kWTxEorROppz9oU4HPicL6rRH22Ce 6nOAON2vHvhkUuO3GbffhrcsPD4DaYup4ic+DxWm+DaSSRJ+e1yJvwi6NmQ9P9UAuLG93S2MdNNbo sZ9P8k2mTOVKMc+GooI9Ve/vH8unwitwo7ORMVXhJeU6Q0X7zf3SjwDq2lBhn1DSuTsn2DbsNTiDv qrAaCvbsTsw+SZRwF85eG67eAwouYk+dnKmp1q57LDKMyzysij2oDKbcBlwB/TeX16p8+LxECv51a sjS9TInnipssssUDrHIvoTTXWcz7Y5wIngxDFwT8rPY3EggzLGfK5Zx2Q5S/N0FfmADmKknG/D8qG IcJE574D956tiUDKN4I+/g125ORR1v7bP+OIaayAvq17RP+qcAqkxc0x8iCYVCYDouDyNvWPGRhbL UO7mlBpjW9jK9e2fvZY9iw3QzIPGKtClKZWZmIExheXRvbiA8amVmZi5sYXl0b25AcHJpbWFyeWRh dGEuY29tPokCOQQTAQIAIwUCU4xmUAIbAwcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheAAAoJEAAOa EEZVoIVzJoQALFCS6n/FHQS+hIzHIb56JbokhK0AFqoLVzLKzrnaeXhE5isWcVg0eoV2oTScIwUSU apy94if69tnUo4Q7YNt8/6yFM6hwZAxFjOXR0ciGE3Q+Z1zi49Ox51yjGMQGxlakV9ep4sV/d5a50 M+LFTmYSAFp6HY23JN9PkjVJC4PUv5DYRbOZ6Y1+TfXKBAewMVqtwT1Y+LPlfmI8dbbbuUX/kKZ5d dhV2736fgyfpslvJKYl0YifUOVy4D1G/oSycyHkJG78OvX4JKcf2kKzVvg7/Rnv+AueCfFQ6nGwPn 0P91I7TEOC4XfZ6a1K3uTp4fPPs1Wn75X7K8lzJP/p8lme40uqwAyBjk+IA5VGd+CVRiyJTpGZwA0 jwSYLyXboX+Dqm9pSYzmC9+/AE7lIgpWj+3iNisp1SWtHc4pdtQ5EU2SEz8yKvDbD0lNDbv4ljI7e flPsvN6vOrxz24mCliEco5DwhpaaSnzWnbAPXhQDWb/lUgs/JNk8dtwmvWnqCwRqElMLVisAbJmC0 BhZ/Ab4sph3EaiZfdXKhiQqSGdK4La3OTJOJYZphPdGgnkvDV9Pl1QZ0ijXQrVIy3zd6VCNaKYq7B AKidn5g/2Q8oio9Tf4XfdZ9dtwcB+bwDJFgvvDYaZ5bI3ln4V3EyW5i2NfXazz/GA/I/ZtbsigCFc 8ftCBKZWZmIExheXRvbiA8amxheXRvbkBrZXJuZWwub3JnPokCOAQTAQIAIgUCWe8u6AIbAwYLCQg HAwIGFQgCCQoLBBYCAwECHgECF4AACgkQAA5oQRlWghUuCg/+Lb/xGxZD2Q1oJVAE37uW308UpVSD 2tAMJUvFTdDbfe3zKlPDTuVsyNsALBGclPLagJ5ZTP+Vp2irAN9uwBuacBOTtmOdz4ZN2tdvNgozz uxp4CHBDVzAslUi2idy+xpsp47DWPxYFIRP3M8QG/aNW052LaPc0cedYxp8+9eiVUNpxF4SiU4i9J DfX/sn9XcfoVZIxMpCRE750zvJvcCUz9HojsrMQ1NFc7MFT1z3MOW2/RlzPcog7xvR5ENPH19ojRD CHqumUHRry+RF0lH00clzX/W8OrQJZtoBPXv9ahka/Vp7kEulcBJr1cH5Wz/WprhsIM7U9pse1f1g Yy9YbXtWctUz8uvDR7shsQxAhX3qO7DilMtuGo1v97I/Kx4gXQ52syh/w6EBny71CZrOgD6kJwPVV AaM1LRC28muq91WCFhs/nzHozpbzcheyGtMUI2Ao4K6mnY+3zIuXPygZMFr9KXE6fF7HzKxKuZMJO aEZCiDOq0anx6FmOzs5E6Jqdpo/mtI8beK+BE7Va6ni7YrQlnT0i3vaTVMTiCThbqsB20VrbMjlhp f8lfK1XVNbRq/R7GZ9zHESlsa35ha60yd/j3pu5hT2xyy8krV8vGhHvnJ1XRMJBAB/UYb6FyC7S+m QZIQXVeAA+smfTT0tDrisj1U5x6ZB9b3nBg65kc= Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.54.3 (3.54.3-1.fc41) Precedence: bulk X-Mailing-List: linux-fsdevel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 On Mon, 2025-04-21 at 23:38 +0200, Bernd Schubert wrote: >=20 > On 4/21/25 14:35, Jeff Layton wrote: > > On Mon, 2025-04-21 at 13:49 +0200, Bernd Schubert wrote: > > >=20 > > > On 4/19/25 02:06, Joanne Koong wrote: > > > > For direct io writes, splice is disabled when forwarding pages from= the > > > > client to the server. This is because the pages in the pipe buffer = are > > > > user pages, which is controlled by the client. Thus if a server rep= lies > > > > to the request and then keeps accessing the pages afterwards, there= is > > > > the possibility that the client may have modified the contents of t= he > > > > pages in the meantime. More context on this can be found in commit > > > > 0c4bcfdecb1a ("fuse: fix pipe buffer lifetime for direct_io"). > > > >=20 > > > > For servers that do not need to access pages after answering the > > > > request, splice gives a non-trivial improvement in performance. > > > > Benchmarks show roughly a 40% speedup. > > > >=20 > > > > Allow servers to enable zero-copy splice for servicing client direc= t io > > > > writes. By enabling this, the server understands that they should n= ot > > > > continue accessing the pipe buffer after completing the request or = may > > > > face incorrect data if they do so. > > > >=20 > > > > Signed-off-by: Joanne Koong > > > > --- > > > > fs/fuse/dev.c | 18 ++++++++++-------- > > > > fs/fuse/dev_uring.c | 4 ++-- > > > > fs/fuse/fuse_dev_i.h | 5 +++-- > > > > fs/fuse/fuse_i.h | 3 +++ > > > > fs/fuse/inode.c | 5 ++++- > > > > include/uapi/linux/fuse.h | 8 ++++++++ > > > > 6 files changed, 30 insertions(+), 13 deletions(-) > > > >=20 > > > > diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c > > > > index 67d07b4c778a..1b0ea8593f74 100644 > > > > --- a/fs/fuse/dev.c > > > > +++ b/fs/fuse/dev.c > > > > @@ -816,12 +816,13 @@ static int unlock_request(struct fuse_req *re= q) > > > > return err; > > > > } > > > > =20 > > > > -void fuse_copy_init(struct fuse_copy_state *cs, bool write, > > > > - struct iov_iter *iter) > > > > +void fuse_copy_init(struct fuse_copy_state *cs, struct fuse_conn *= fc, > > > > + bool write, struct iov_iter *iter) > > > > { > > > > memset(cs, 0, sizeof(*cs)); > > > > cs->write =3D write; > > > > cs->iter =3D iter; > > > > + cs->splice_read_user_pages =3D fc->splice_read_user_pages; > > > > } > > > > =20 > > > > /* Unmap and put previous page of userspace buffer */ > > > > @@ -1105,9 +1106,10 @@ static int fuse_copy_page(struct fuse_copy_s= tate *cs, struct page **pagep, > > > > if (cs->write && cs->pipebufs && page) { > > > > /* > > > > * Can't control lifetime of pipe buffers, so always > > > > - * copy user pages. > > > > + * copy user pages if server does not support splice > > > > + * for reading user pages. > > > > */ > > > > - if (cs->req->args->user_pages) { > > > > + if (cs->req->args->user_pages && !cs->splice_read_user_pages) { > > > > err =3D fuse_copy_fill(cs); > > > > if (err) > > > > return err; > > > > @@ -1538,7 +1540,7 @@ static ssize_t fuse_dev_read(struct kiocb *io= cb, struct iov_iter *to) > > > > if (!user_backed_iter(to)) > > > > return -EINVAL; > > > > =20 > > > > - fuse_copy_init(&cs, true, to); > > > > + fuse_copy_init(&cs, fud->fc, true, to); > > > > =20 > > > > return fuse_dev_do_read(fud, file, &cs, iov_iter_count(to)); > > > > } > > > > @@ -1561,7 +1563,7 @@ static ssize_t fuse_dev_splice_read(struct fi= le *in, loff_t *ppos, > > > > if (!bufs) > > > > return -ENOMEM; > > > > =20 > > > > - fuse_copy_init(&cs, true, NULL); > > > > + fuse_copy_init(&cs, fud->fc, true, NULL); > > > > cs.pipebufs =3D bufs; > > > > cs.pipe =3D pipe; > > > > ret =3D fuse_dev_do_read(fud, in, &cs, len); > > > > @@ -2227,7 +2229,7 @@ static ssize_t fuse_dev_write(struct kiocb *i= ocb, struct iov_iter *from) > > > > if (!user_backed_iter(from)) > > > > return -EINVAL; > > > > =20 > > > > - fuse_copy_init(&cs, false, from); > > > > + fuse_copy_init(&cs, fud->fc, false, from); > > > > =20 > > > > return fuse_dev_do_write(fud, &cs, iov_iter_count(from)); > > > > } > > > > @@ -2301,7 +2303,7 @@ static ssize_t fuse_dev_splice_write(struct p= ipe_inode_info *pipe, > > > > } > > > > pipe_unlock(pipe); > > > > =20 > > > > - fuse_copy_init(&cs, false, NULL); > > > > + fuse_copy_init(&cs, fud->fc, false, NULL); > > > > cs.pipebufs =3D bufs; > > > > cs.nr_segs =3D nbuf; > > > > cs.pipe =3D pipe; > > > > diff --git a/fs/fuse/dev_uring.c b/fs/fuse/dev_uring.c > > > > index ef470c4a9261..52b883a6a79d 100644 > > > > --- a/fs/fuse/dev_uring.c > > > > +++ b/fs/fuse/dev_uring.c > > > > @@ -593,7 +593,7 @@ static int fuse_uring_copy_from_ring(struct fus= e_ring *ring, > > > > if (err) > > > > return err; > > > > =20 > > > > - fuse_copy_init(&cs, false, &iter); > > > > + fuse_copy_init(&cs, ring->fc, false, &iter); > > > > cs.is_uring =3D true; > > > > cs.req =3D req; > > > > =20 > > > > @@ -623,7 +623,7 @@ static int fuse_uring_args_to_ring(struct fuse_= ring *ring, struct fuse_req *req, > > > > return err; > > > > } > > > > =20 > > > > - fuse_copy_init(&cs, true, &iter); > > > > + fuse_copy_init(&cs, ring->fc, true, &iter); > > > > cs.is_uring =3D true; > > > > cs.req =3D req; > > > > =20 > > > > diff --git a/fs/fuse/fuse_dev_i.h b/fs/fuse/fuse_dev_i.h > > > > index db136e045925..25e593e64c67 100644 > > > > --- a/fs/fuse/fuse_dev_i.h > > > > +++ b/fs/fuse/fuse_dev_i.h > > > > @@ -32,6 +32,7 @@ struct fuse_copy_state { > > > > bool write:1; > > > > bool move_pages:1; > > > > bool is_uring:1; > > > > + bool splice_read_user_pages:1; > > > > struct { > > > > unsigned int copied_sz; /* copied size into the user buffer */ > > > > } ring; > > > > @@ -51,8 +52,8 @@ struct fuse_req *fuse_request_find(struct fuse_pq= ueue *fpq, u64 unique); > > > > =20 > > > > void fuse_dev_end_requests(struct list_head *head); > > > > =20 > > > > -void fuse_copy_init(struct fuse_copy_state *cs, bool write, > > > > - struct iov_iter *iter); > > > > +void fuse_copy_init(struct fuse_copy_state *cs, struct fuse_conn *= conn, > > > > + bool write, struct iov_iter *iter); > > > > int fuse_copy_args(struct fuse_copy_state *cs, unsigned int numarg= s, > > > > unsigned int argpages, struct fuse_arg *args, > > > > int zeroing); > > > > diff --git a/fs/fuse/fuse_i.h b/fs/fuse/fuse_i.h > > > > index 3d5289cb82a5..e21875f16220 100644 > > > > --- a/fs/fuse/fuse_i.h > > > > +++ b/fs/fuse/fuse_i.h > > > > @@ -898,6 +898,9 @@ struct fuse_conn { > > > > /* Use io_uring for communication */ > > > > bool io_uring:1; > > > > =20 > > > > + /* Allow splice for reading user pages */ > > > > + bool splice_read_user_pages:1; > > > > + > > > > /** Maximum stack depth for passthrough backing files */ > > > > int max_stack_depth; > > > > =20 > > > > diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c > > > > index 43b6643635ee..e82e96800fde 100644 > > > > --- a/fs/fuse/inode.c > > > > +++ b/fs/fuse/inode.c > > > > @@ -1439,6 +1439,9 @@ static void process_init_reply(struct fuse_mo= unt *fm, struct fuse_args *args, > > > > =20 > > > > if (flags & FUSE_REQUEST_TIMEOUT) > > > > timeout =3D arg->request_timeout; > > > > + > > > > + if (flags & FUSE_SPLICE_READ_USER_PAGES) > > > > + fc->splice_read_user_pages =3D true; > > >=20 > > >=20 > > > Shouldn't that check for capable(CAP_SYS_ADMIN)? Isn't the issue > > > that one can access file content although the write is already > > > marked as completed? I.e. a fuse file system might get data > > > it was never exposed to and possibly secret data? > > > A more complex version version could check for CAP_SYS_ADMIN, but > > > also allow later on read/write to files that have the same uid as > > > the fuser-server process? > > >=20 > >=20 > > IDGI. I don't see how this allows the server access to something it > > didn't have access to before. > >=20 > > This patchset seems to be about a "contract" between the kernel and the > > userland server. The server is agreeing to be very careful about not > > touching pages after a write request completes, and the kernel allows > > splicing the pages if that's the case. > >=20 > > Can you explain the potential attack vector? >=20 > Let's the server claim it does FUSE_SPLICE_READ_USER_PAGES, i.e. claims > it stops using splice buffers before completing write requests. But then > it actually first replies to the write and after an arbitrary amount > of time writes out the splice buffer. User application might be using > the buffer it send for write for other things and might not want to > expose that. I.e. application expects that after write(, buf,) > it can use 'buf' for other purposes and that the file system does not > access it anymore once write() is complete. I.e. it can put sensitive > data into the buffer, which it might not want to expose. > From my point of the issue is mainly with allow_other in combination > with "user_allow_other" in libfuse, as root has better ways to access dat= a. >=20 That would definitely break the contract. The question is whether that's a security issue. I'm not convinced that it is, given all of the other ways you can do nefarious stuff with an unprivileged server. That said, if there is any question, gating this behind CAP_SYS_ADMIN seems like a reasonable thing to do. We could always relax that later if we decide that it's a non-issue. --=20 Jeff Layton